Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter #1
Hey guys, recently my computer started behaving strangely and I believe I have some sort of a virus. Two icons, with the names of "Live Safety Center" and "Online Security Guide," downloaded themselves onto my desktop. Also I would receive random pop-ups in IE imploring me to "find true love," among other things. Also I would receive a flashing exclamation point on my desktop toolbar stating that I had some sort of a virus and that I should go to a certain site to download software to remove it. There were a few other notifications that would pop up that would say other things, but at the moment I can't remember exactly what they said (although I think it also had to do with a virus on the computer and asking me to click on something to get rid of it). Any ideas on what's happening here? Thank you in advance for taking a look for me.

Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:06 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Howard\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\HOWARD\Application Data\Mozilla\Profiles\default\m0plx7f8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HOWARD\Application Data\Mozilla\Profiles\default\m0plx7f8.slt\prefs.js)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [648a98bb] rundll32.exe "C:\WINDOWS\system32\thirtxiy.dll",b
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\lotus\org6\organize\bandobjs.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141591282654
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7307 bytes
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
---------------------------------------------------------------------------------------------
 

·
Registered
Joined
·
5 Posts
Discussion Starter #3
Bob, thank you for your attention. In the past few days I've done some things on my own and my computer seems to be much better, but I'd still like to have you take a look at my logs just to see if you spot anything fishy still hanging around.






Deckard's System Scanner v20071014.68
Run by Howard on 2007-11-14 21:38:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
95: 2007-11-15 02:38:59 UTC - RP647 - Deckard's System Scanner Restore Point
94: 2007-11-14 15:32:01 UTC - RP646 - Software Distribution Service 3.0
93: 2007-11-14 06:41:13 UTC - RP645 - System Checkpoint
92: 2007-11-13 06:10:51 UTC - RP644 - ComboFix created restore point
91: 2007-11-12 16:05:20 UTC - RP643 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2007-11-09 21:23:27 UTC - RP553 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Howard.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:52 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Howard\Desktop\dss.exe
C:\DOCUME~1\Howard\Desktop\Howard.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\HOWARD\Application Data\Mozilla\Profiles\default\m0plx7f8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HOWARD\Application Data\Mozilla\Profiles\default\m0plx7f8.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D596821-6B67-48D1-EBA9-024D6DC514F9} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {40CA253E-6CD7-4292-8512-6E2C824E4B3E} - (no file)
O2 - BHO: {2fdeaac6-842b-a02a-30c4-952da7f2f585} - {585f2f7a-d259-4c03-a20a-b2486caaedf2} - (no file)
O2 - BHO: (no name) - {AD60456E-697C-42E2-A4CB-4276D6468100} - (no file)
O2 - BHO: (no name) - {C8CF3ECE-B3CA-4AA5-96BA-8CF02379197E} - (no file)
O2 - BHO: (no name) - {E301D0D7-7C2C-4306-A016-4AFD410CB278} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\lotus\org6\organize\bandobjs.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141591282654
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: urqqnmn - urqqnmn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7770 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >

S3 catchme - c:\docume~1\howard\locals~1\temp\catchme.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 UWProSys (Process monitor.) - c:\program files\cyberdefender\antispyware\uwprosys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>

S3 SandraDataSrv (Sandra Data Service) - c:\program files\sisoftware\sisoftware sandra professional 2005.sr3\rpcdatasrv.exe <Not Verified; SiSoftware; SiSoftware Sandra 2005.SR3>
S3 SandraTheSrv (Sandra Service) - c:\program files\sisoftware\sisoftware sandra professional 2005.sr3\rpcsandrasrv.exe <Not Verified; SiSoftware; SiSoftware Sandra 2005.SR3>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-09 21:17:58 566 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Howard.job


-- Files created between 2007-10-14 and 2007-11-14 -----------------------------

2007-11-12 13:09:13 0 d-------- C:\ie-spyad_zo
2007-11-12 12:56:35 0 d-------- C:\Program Files\SpywareBlaster
2007-11-12 11:05:29 0 d-------- C:\Documents and Settings\Howard\Application Data\SUPERAntiSpyware.com
2007-11-11 19:41:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-11 18:50:53 0 d-------- C:\Program Files\Safer Networking
2007-11-11 18:29:45 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-10 23:42:20 0 dr-h----- C:\Documents and Settings\Howard\Recent
2007-11-10 22:39:06 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-11-10 22:36:38 0 d-------- C:\Program Files\SpywareDetector
2007-11-10 18:44:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-10 18:44:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-10 18:44:11 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-10 11:40:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-10 11:39:07 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-10 11:35:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-10 08:50:13 0 d-------- C:\VundoFix Backups
2007-11-09 16:17:59 0 d-------- C:\WINDOWS\system32\rMa01yy
2007-11-07 13:03:21 0 d-------- C:\Program Files\The Weather Channel FW
2007-11-06 16:46:59 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-11-06 16:46:41 0 d-------- C:\Program Files\Common Files\Viewpoint
2007-10-30 19:07:51 15781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2007-10-30 19:07:47 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-10-30 19:07:47 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-10-30 19:07:45 147456 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-10-30 19:07:45 651264 --a------ C:\WINDOWS\system32\libeay32.dll
2007-10-30 19:07:45 929792 --a------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2007-10-30 19:07:31 0 d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor


-- Find3M Report ---------------------------------------------------------------

2007-11-14 21:40:47 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-12 11:04:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 23:05:56 0 d-------- C:\Program Files\Yahoo!
2007-11-06 16:53:48 0 d-------- C:\Program Files\Viewpoint
2007-11-06 16:46:41 0 d-------- C:\Program Files\Common Files
2007-10-30 19:07:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-28 23:38:46 0 d-------- C:\Program Files\Soulseek
2007-10-13 01:34:02 0 d-------- C:\Program Files\Common Files\AOL
2007-10-10 03:05:23 0 d-------- C:\Program Files\Norton Internet Security
2007-10-03 13:04:21 0 d-------- C:\Program Files\Symantec
2007-09-18 14:32:26 0 d-------- C:\Program Files\AIM
2007-09-18 14:32:25 0 d-------- C:\Documents and Settings\Howard\Application Data\Help


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D596821-6B67-48D1-EBA9-024D6DC514F9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40CA253E-6CD7-4292-8512-6E2C824E4B3E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{585f2f7a-d259-4c03-a20a-b2486caaedf2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD60456E-697C-42E2-A4CB-4276D6468100}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8CF3ECE-B3CA-4AA5-96BA-8CF02379197E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E301D0D7-7C2C-4306-A016-4AFD410CB278}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 02:56 AM C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [09/05/2006 08:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [04/19/2004 08:19 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= qvphook.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnmn]
urqqnmn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhff.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
backup=C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\xxswcguc.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

*Newly Created Service* - COMHOST
*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2007-11-14 21:41:58 ------------
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Looks like you did a number on it. VundoFix and SUPERAntiSpyware seem to have tamed most of it.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0D596821-6B67-48D1-EBA9-024D6DC514F9} - (no file)
O2 - BHO: (no name) - {40CA253E-6CD7-4292-8512-6E2C824E4B3E} - (no file)
O2 - BHO: {2fdeaac6-842b-a02a-30c4-952da7f2f585} - {585f2f7a-d259-4c03-a20a-b2486caaedf2} - (no file)
O2 - BHO: (no name) - {AD60456E-697C-42E2-A4CB-4276D6468100} - (no file)
O2 - BHO: (no name) - {C8CF3ECE-B3CA-4AA5-96BA-8CF02379197E} - (no file)
O2 - BHO: (no name) - {E301D0D7-7C2C-4306-A016-4AFD410CB278} - (no file)
O20 - Winlogon Notify: urqqnmn - urqqnmn.dll (file missing)
O24 - Desktop Component 0: (no name) - (no file)


Close HijackThis now.

---------------------------------------------------------------------------------------------

Delete these:

C:\VundoFix Backups
C:\WINDOWS\system32\rMa01yy

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:


Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 u3 and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windowsi586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked

      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.
---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Please run Deckard's System Scanner once again, and post it's log. Only main.txt will appear this time.
 

·
Registered
Joined
·
5 Posts
Discussion Starter #5
Bob, I followed your steps and didn't have any problems.

Here is my DSS log:

Deckard's System Scanner v20071014.68
Run by Howard on 2007-11-15 09:37:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Howard.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:09 AM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Howard\Desktop\dss.exe
C:\DOCUME~1\Howard\Desktop\Howard.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.download.dir", "C:\\TEMPDOWNLOADS");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("intl.charsetmenu.browser.cache", "us-ascii, UTF-8, ISO-8859-1");
user_pref("network.cookie.prefsMigrated", true);
user_pref("prefs.converted-to-utf8", t
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.firsttime", false);
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.download.dir", "C:\\TEMPDOWNLOADS");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html");
user_pref("browser.startup.homepage_override.mstone", "rv:1.7.2");
user_pref("intl.charsetmenu.browser.cache", "us-ascii, UTF-8, ISO-8859-1");
user_pref("network.cookie.prefsMigrated", true);
user_pref("prefs.converted-to-utf8", t
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\lotus\org6\organize\bandobjs.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141591282654
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR3\RpcSandraSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9404 bytes

-- Files created between 2007-10-15 and 2007-11-15 -----------------------------

2007-11-14 23:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-14 23:44:53 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-14 23:30:18 0 d-------- C:\Program Files\Java
2007-11-14 23:30:11 0 d-------- C:\Program Files\Common Files\Java
2007-11-14 23:29:14 0 d-------- C:\Documents and Settings\Howard\Application Data\Sun
2007-11-12 13:09:13 0 d-------- C:\ie-spyad_zo
2007-11-12 12:56:35 0 d-------- C:\Program Files\SpywareBlaster
2007-11-12 11:05:29 0 d-------- C:\Documents and Settings\Howard\Application Data\SUPERAntiSpyware.com
2007-11-11 19:41:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-11 18:50:53 0 d-------- C:\Program Files\Safer Networking
2007-11-11 18:29:45 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2007-11-10 23:42:20 0 dr-h----- C:\Documents and Settings\Howard\Recent
2007-11-10 22:39:06 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-11-10 22:36:38 0 d-------- C:\Program Files\SpywareDetector
2007-11-10 18:44:12 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-10 18:44:12 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-10 18:44:11 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-10 11:40:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-10 11:39:07 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-10 11:35:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 13:03:21 0 d-------- C:\Program Files\The Weather Channel FW
2007-11-06 16:46:59 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-11-06 16:46:41 0 d-------- C:\Program Files\Common Files\Viewpoint
2007-10-30 19:07:51 15781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2007-10-30 19:07:47 94208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-10-30 19:07:47 15872 --a------ C:\WINDOWS\system32\GTNDIS5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
2007-10-30 19:07:45 147456 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-10-30 19:07:45 651264 --a------ C:\WINDOWS\system32\libeay32.dll
2007-10-30 19:07:45 929792 --a------ C:\WINDOWS\system32\AegisE5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2007-10-30 19:07:31 0 d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor


-- Find3M Report ---------------------------------------------------------------

2007-11-15 01:23:43 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-14 23:30:11 0 d-------- C:\Program Files\Common Files
2007-11-14 23:22:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-12 11:04:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 23:05:56 0 d-------- C:\Program Files\Yahoo!
2007-11-06 16:53:48 0 d-------- C:\Program Files\Viewpoint
2007-10-28 23:38:46 0 d-------- C:\Program Files\Soulseek
2007-10-13 01:34:02 0 d-------- C:\Program Files\Common Files\AOL
2007-10-10 03:05:23 0 d-------- C:\Program Files\Norton Internet Security
2007-10-03 13:04:21 0 d-------- C:\Program Files\Symantec
2007-09-18 14:32:26 0 d-------- C:\Program Files\AIM
2007-09-18 14:32:25 0 d-------- C:\Documents and Settings\Howard\Application Data\Help


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 02:56 AM C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [09/05/2006 08:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [04/19/2004 08:19 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk]
backup=C:\WINDOWS\pss\Lotus Organizer EasyClip.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2007-11-15 09:38:37 ------------



And here is my Kaspersky log (looks like there are a few problems hanging around?):

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 15, 2007 9:37:37 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/11/2007
Kaspersky Anti-Virus database records: 459770
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 50940
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 6
Duration of the scan process: 01:11:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip/offun.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu2000219.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-15_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\392901F9.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\3BFCD9E7.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Howard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Howard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Howard\Local Settings\History\History.IE5\MSHist012007111320071114\index.dat Object is locked skipped
C:\Documents and Settings\Howard\Local Settings\History\History.IE5\MSHist012007111420071115\index.dat Object is locked skipped
C:\Documents and Settings\Howard\Local Settings\History\History.IE5\MSHist012007111520071116\index.dat Object is locked skipped
C:\Documents and Settings\Howard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Howard\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Howard\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP638\A0058522.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP640\A0063792.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP640\A0063792.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP640\A0063792.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP640\A0063800.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP641\A0064932.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP643\A0064968.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP643\A0064969.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP643\A0070047.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP643\A0071050.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{C6505D2D-08F0-43CF-90E5-C0C8E1EE36A4}\RP649\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
That look great, PhilinIL -

All finds by Kaspersky are in Quarantine or System Restore points.


When files found by other scanners are in the Recovery directory inside the Spybot-S&D directory, it is only a backup. It is no longer of any harm there, as the file won't be loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge the files.

Please use Symantec's guide to remove the Norton Quarantine files.

Your logs appear clean.You should be good to go. We still have a few items to address.

C:\Deckard is DSS working folder. You can safely delete it. Also delete dss.exe

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache in a little while.


Reset hidden/system files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.
Clear & Reset System Restore's Cache
  • click Start >> Run - type SYSDM.CPL & press Enter
  • select the System Restore Tab
  • tick on the checkbox - "Turn off System Restore on all drives"
  • click Apply
  • then untick the same checkbox & click OK

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:
  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • SpywareGuard to catch and block spyware before it can execute.

    IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.



    Here are some additional utilities that will further enhance your safety.
    • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

    • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

    • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

    • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

      ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

      NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
    In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articlesIf you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

    Please respond to this thread one more time so we can mark this thread as resolved.
 

·
Registered
Joined
·
5 Posts
Discussion Starter #7
Thanks again Bob. I followed almost all of the steps you outlined above and things seem much better. My only problem is that I'm having a heck of a time trying to remove the Norton Quarantine files using Symantec's guide. I can't really find the page they're referring to and when I get to what seems like a similar page (manage quarantine files), I'm not seeing the option to delete the old viruses. Any ideas?
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Well, I don't use Norton, but in most AVs, once you get to the Quarantined Files interface, there is some sort of "Highlight and delete finally" function, whether it's a button at the bottom of the screen, or via right click on the item.

Conversely, you can simply navigate to the folder, and delete the contents....but not the folder itself.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Does that help?
 

·
Registered
Joined
·
5 Posts
Discussion Starter #9
Absolutely, thank you. I found that folder, but I didn't know if it was okay to manually delete its contents or if I need to do it using the process that Symantec describes. Either way it's taken care of now. Other than that I think I'm good. Thank you again for all of your help! :pray:
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top